RE: New Method for Blocking Code Red and Similar Exploits

From: Mike Batchelor (mikebatat_private)
Date: Wed Aug 08 2001 - 15:10:36 PDT

Next message: Mark Wiater: "Code Red Doesn't care about TCP sessions?"

Previous message: Reverend Lola: "RE: Defaced"
In reply to: Randall S. Benn: "New Method for Blocking Code Red and Similar Exploits"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The bad news is that it consumes ~15% CPU capacity on 7200 class routers,
and
leaves open TCP sessions on the servers it is protecting.  This is because
the router must allow the SYN to pass and the session to be established
before it can see the request URL.  Then it cuts the session off at the
knees, and does not sent a RST to the server, whose session is left hanging
until the stack times it out.

This "cure" can cause problems worse than the disease.  I advise extreme
caution to anyone trying this.

> -----Original Message-----
> From: Randall S. Benn [mailto:rbennat_private]
> Sent: Tuesday, August 07, 2001 3:31 PM
> To: incidentsat_private
> Subject: New Method for Blocking Code Red and Similar Exploits
>
>
> A new method for blocking Code Red and similar exploits that use
> HTTP GET requests has been published.  The method uses new
> capabilities within Cisco IOS software.  Read the on-line advisory at:
>
> http://iponeverything.net/CodeRed.html
>
> The beauty of this solution is that it can be used to block Code
> Red infections today and can be easily modified with new
> signatures in the future using the HTTP sub-port classification
> mechanism in IOS.
>
> Randy
>
>
> ------------------------------------------------------------------
> ----------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBO3G43EksS4VV8BvHEQJv/QCgyaEcRqBCprySfCQ2/HrR06uAf6wAnRtT
WG34/0xdzaRlADizG+meoYor
=y8p9
-----END PGP SIGNATURE-----


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Mark Wiater: "Code Red Doesn't care about TCP sessions?"
Previous message: Reverend Lola: "RE: Defaced"
In reply to: Randall S. Benn: "New Method for Blocking Code Red and Similar Exploits"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Aug 09 2001 - 15:39:06 PDT